Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: local policy)
Message-ID: <46B045C9.4030700@kippdata.de>
Date: Wed, 01 Aug 2007 10:35:21 +0200
From: Rainer Jung <rainer.jung@kippdata.de>
User-Agent: Thunderbird 1.5.0.8 (X11/20061110)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Confusion about tomcat security bulletin
References: 
 <F4B8D4339A38FF4D8264CD0153B26A2B6103A4@CNSHGSMBS02.ad4.ad.alcatel.com>
In-Reply-To: 
 <F4B8D4339A38FF4D8264CD0153B26A2B6103A4@CNSHGSMBS02.ad4.ad.alcatel.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

5.0.HEAD is the most actual, non-released version of the 5.0 code 
branch. So this means, the problem will be fixed in any new 5.0 release.

Currently there are no plans do do a new 5.0 release. So if security is 
a real concern for you, you should upgrade to at least 5.5 (which 
shouldn't be a big deal) or to 6.0.

If you can't upgrade and you must fix the issue, you will need to build 
from the source (which is a little painful for TC 5.0).

Regards,

Rainer

CHENG Jianhua wrote:
> Dear All,
>  
> Our company have an application use tomcat 5.0.27 and can't upgrade the
> version.
> I'm very concern about the security issue relate to this version.
>  
> Now I have some confusion about tomcat security bulletin
> http://tomcat.apache.org/security-5.html
> <http://tomcat.apache.org/security-5.html>  .
> For example:
> ------------------------------------------------------------------------
> ------------------------------------------------
> Fixed in Apache Tomcat 5.5.23, 5.0.HEAD 	
> 
> 	important: Information disclosure CVE-2005-2090
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2090>  
> 
> 	Requests with multiple content-length headers should be rejected
> as invalid. When multiple components (firewalls, caches, proxies and
> Tomcat) process a sequence of requests where one or more requests
> contain multiple content-length headers and several components do not
> reject the request and make different decisions as to which
> content-length leader to use an attacker can poision a web-cache,
> perform an XSS attack and obtain senstive information from requests
> other then their own. Tomcat now returns 400 for requests with multiple
> content-length headers. 
> 
> 	Affects: 5.0.0-5.0.30, 5.5.0-5.5.22
> 
> ------------------------------------------------------------------------
> ------------------------------------------------------------------------
> --------------
> This issue does affect 5.0.27, but "Fixed in Apache Tomcat 5.5.23,
> 5.0.HEAD ".  Does "5.0.HEAD" include 5.0.27 itself?
>  If so does it mean when I get new release 5.0.27 from tomcat website
> then the issue will be fixed? And if new issue has been report such as
> "moderate: Cross-site scripting CVE-2007-1355
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1355>  " , it
> also affects 5.0.27 and Fixed in 5.0.HEAD, does it mean I must get
> 5.0.27 from tomcat website agagin to fixed this issue?
>  
>  
> Look forward your answer and Thans a lot!
>  
> Best regards,
> Cheng Jianhua

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org